[keycloak-dev] token exchange
Pedro Igor Silva
psilva at redhat.com
Tue Aug 15 08:41:53 EDT 2017
On Mon, Aug 14, 2017 at 10:42 AM, Bill Burke <bburke at redhat.com> wrote:
> CLI tool I wrote doesn't allow token exchange, yet, but you're correct,
> I'm thinking of using it to perform token exchange.
>
> Our ID tokens are not signed right now. Also you still need client to
> client exchange so that you can "downgrade" a token to talk to an untrusted
> service. I've also added new fine-grain permissions "exchange-from" and
> "exchange-to".
>
> For example, lets say Client A gets token and invokes on service B which
> needs to invoke on untrusted service C.
>
When Client A gets token to invoke Service B, how the "aud" claim in the
token looks like for you ? Is it referencing Service B ?
Asking because I noticed that our access tokens are being issued using the
authenticated client in "aud" claim where it should contain (or in addition
to other audiences) the target service. A typical scenario for bearer token
authentication. Also, our BearerTokenRequestAuthenticator does not seem to
validate audience.
Considering the flow you described, Client A would need a token with
Service B as a valid audience in order to be able to start the flow.
More information about the keycloak-dev
mailing list